selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true

Unfortunately commit 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") added a five second sleep during early kernel boot, e.g. start_kernel(), which could cause a "scheduling while atomic" panic. This patch fixes this problem by moving the sleep out of checkreqprot_set() and into sel_write_checkreqprot() so that we only sleep when the checkreqprot setting is set during runtime, after the kernel has booted. The error message remains the same in both cases. Fixes: 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") Reported-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Paul Moore <paul@paul-moore.com> 2022-04-14 16:40:10 -0400
committer: Paul Moore <paul@paul-moore.com> 2022-04-14 16:44:21 -0400
commit: 6a9e261cbbee08c499f2331910027e8c40c8f81f (patch)
tree: 9478231587f3a1750bf1a200c57997381f5e715e /security/selinux/selinuxfs.c
parent: 81200b0265b15609dcecf192e3f7fb238ec0d3da (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 6c8b6a0ddecf..8fcdd494af27 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -762,6 +762,8 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
 	}
 
 	checkreqprot_set(fsi->state, (new_value ? 1 : 0));
+	if (new_value)
+		ssleep(5);
 	length = count;
 
 	selinux_ima_measure_state(fsi->state);
author	Paul Moore <paul@paul-moore.com>	2022-04-14 16:40:10 -0400
committer	Paul Moore <paul@paul-moore.com>	2022-04-14 16:44:21 -0400
commit	6a9e261cbbee08c499f2331910027e8c40c8f81f (patch)
tree	9478231587f3a1750bf1a200c57997381f5e715e /security/selinux/selinuxfs.c
parent	81200b0265b15609dcecf192e3f7fb238ec0d3da (diff)